Malware reports

Monthly Malware Statistics: February 2010

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   274729  
2   1 Virus.Win32.Sality.aa   179218  
3   1 Net-Worm.Win32.Kido.ih   163467  
4   -2 Net-Worm.Win32.Kido.iq   121130  
5   0 Worm.Win32.FlyStudio.cu   85345  
6   3 Trojan-Downloader.Win32.VB.eql   56998  
7   New Exploit.JS.Aurora.a   49090  
8   9 Worm.Win32.AutoIt.tc   48418  
9   1 Virus.Win32.Virut.ce   47842  
10   4 Packed.Win32.Krap.l   47375  
11   -3 Trojan-Downloader.WMA.GetCodec.s   43295  
12   0 Virus.Win32.Induc.a   40257  
13   New not-a-virus:AdWare.Win32.RK.aw   39608  
14   -3 not-a-virus:AdWare.Win32.Boran.z   39404  
15   1 Worm.Win32.Mabezat.b   38905  
16   New Trojan.JS.Agent.bau   34842  
17   3 Packed.Win32.Black.a   32439  
18   1 Trojan-Dropper.Win32.Flystud.yo   32268  
19   Return Worm.Win32.AutoRun.dui   32077  
20   New not-a-virus:AdWare.Win32.FunWeb.q   30942  

There was no change to the top 5 malicious programs this month and judging by the number of infections, the Kido epidemic has eased off slightly.

Exploit.JS.Aurora.a, which, as its name suggests, is a program designed to take advantage of vulnerabilities in a variety of software products. This exploit was widely used in February and consequently entered in the ratings in seventh place. Further details are given in the section “Malicious programs on the Internet”.

Other newcomers in February included two adware programs.
FunWeb.q in 20th place is a perfect example of an adware program. It’s a toolbar for popular browsers and provides users with easy access to resources on some websites (usually those with multimedia content). It also modifies the pages visited so that these pages display adverts.

The case of not-a-virus: AdWare.Win32.RK.aw (in thirteenth place) is rather more complex. This RelevantKnowledge application spreads and is installed along with other software products. The company’s privacy policy and ULA states that the program tracks virtually all user activity, particularly Internet activity, automatically collecting personal information and saving it to the company’s servers. It also says that all the data collected is used exclusively to “help shape the future of the Internet” and that the data is well secured. Whether this is true or not is up to the individual to decide.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position Change in position Name Number of attempted downloads
1   Return Trojan-Downloader.JS.Gumblar.x   453985  
2   -1 Trojan.JS.Redirector.l   346637  
3   New Trojan-Downloader.JS.Pegel.b   198348  
4   3 not-a-virus:AdWare.Win32.Boran.z   80185  
5   -2 Trojan-Downloader.JS.Zapchast.m   80121  
6   New Trojan-Clicker.JS.Iframe.ea   77067  
7   New Trojan.JS.Popupper.ap   77015  
8   3 Trojan.JS.Popupper.t   64506  
9   New Exploit.JS.Aurora.a   54102  
10   New Trojan.JS.Agent.aui   53415  
11   New Trojan-Downloader.JS.Pegel.l   51019  
12   New Trojan-Downloader.Java.Agent.an   47765  
13   New Trojan-Clicker.JS.Agent.ma   45525  
14   New Trojan-Downloader.Java.Agent.ab   42830  
15   New Trojan-Downloader.JS.Pegel.f   41526  
16   Return Packed.Win32.Krap.ai   38567  
17   New Trojan-Downloader.Win32.Lipler.axkd   38466  
18   New Exploit.JS.Agent.awd   35024  
19   New Trojan-Downloader.JS.Pegel.k   34665  
20   New Packed.Win32.Krap.an   33538  

The state of affairs regarding malware on the Internet in February was quite remarkable, which is reflected in our second rating.

First of all, there was a dramatic surge in Gumblar.x, which has once again regained top spot after virtually disappearing completely in January. Last month, we suggested there might be another Gumblar attack and it didn’t take long to materialize. However, this time the black hats haven’t changed their approach in any significant way; they’ve simply been gathering new data that can be used to access websites prior to infecting them en masse. We’ll be keeping track of any further developments.


Secondly, the Pegel epidemic that started in January grew almost six-fold – there are four representatives of this family among the new entries, one of which made it straight to third place. This is a downloader program and in some ways it’s not unlike Gumblar, in that it also infects perfectly legitimate websites. A user that visits an infected site is redirected by the malicious script to a cybercriminal resource. To ensure users don’t suspect anything, the names of popular websites are used in the addresses of malicious pages, for example:

http://friendster-com.youjizz.com.jeuxvideo-com.**********.ru:8080/sify.com/sify.com/pdfdatabase.com/google.com/allegro.pl.php

http://avast-com.deviantart.com.dangdang-com.**********.ru:8080/wsj.com/wsj.com/google.com/nokia.com/aweber.com.php

These links lead to pages containing another script which uses a number of different methods to download the main executable file. The methods used are mostly traditional – exploiting vulnerabilities in major software products such as Internet Explorer (CVE-2006-0003) and Adobe Reader (CVE-2007-5659, CVE-2009-0927 as well as downloading via a special Java applet. The main executable file is the now familiar Backdoor.Win32.Bredolab, packed using various malicious packers (several of which are detected as Packed.Win32.Krap.ar and Packed.Win32.Krap.ao). We have already written in some detail about this malware but it’s worth mentioning again that in addition to its main payload – remote management of infected machines – it can also download other malicious files.

And now back to Exploit.JS.Aurora.a, which was mentioned above. At number nine in the second rating, Aurora.a is the exploit targeting the CVE-2010-0249 vulnerability. It was identified after a massive targeted attack on several versions of Internet Explorer in January.

The attack, which received wide coverage in the IT media, targeted major organizations (including Google and Adobe) and was named Aurora after part of the file path name used in one of the main executable files. The attack was designed to gain access to personal data and corporate intellectual property such as project source code. The attack was carried out using emails with links to malicious sites; these sites contained exploits which resulted in the main executable file being stealthily downloaded to victim machines.


Remarkably, the programmers at Microsoft had been aware of this loophole for a number of months, but it was only patched a month after it began being exploited. It’s worth pointing out that in that time the source code of the exploit became publicly available and only the laziest cybercriminals failed to use it in their attacks: our collection already has more than a hundred malware variants that exploit this vulnerability.

The facts speak for themselves. Vulnerabilities in popular software continue to pose the main threat to users and their data. The fact that cybercriminals are still attempting to exploit vulnerabilities which were detected several years ago is evidence that these vulnerabilities still pose a security threat. Unfortunately, even updating software from major vendors on a regular basis does not guarantee security, as vendors may not always release patches promptly. It’s therefore important to exercise caution – particularly when surfing the Internet – and of course an up-to-date antivirus solution is a must!

Monthly Malware Statistics: February 2010

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox